authboss icon indicating copy to clipboard operation
authboss copied to clipboard
verified publisher icon volatiletech

User Login and Consent Flow for OAuth2

Open fenech opened this issue 6 years ago • 5 comments

Hello! I am interested in using AuthBoss to handle user login and consent as part of an OAuth2 flow (I am using ORY Hydra). I am wondering:

  • Is this something that makes sense to do?
  • Is there a built-in way to use AuthBoss as the "Identity Provider" part of OAuth2? I see that there is an OAuth2 module, but it seems like this is for delegating authentication to another provider.
  • If it makes sense but there's no built-in way, how can I modify the existing password-based use case to perform the necessary redirects when the user is authenticated and consent is granted?

fenech avatar Aug 06 '19 15:08 fenech

I've been looking into this some more, I'm not sure that it can be achieved without making modifications to the way the auth module works. The login flow I'd like to replicate is based on this example:

GET login:

  1. User visits OAuth2 provider's /auth endpoint
  2. OAuth2 provider redirects to AuthBoss app /login?login_challenge={challenge}
  3. Authboss app sends request with challenge to OAuth2 provider to see whether auth can be skipped 4a. If so, accept login (POST to OAuth2 provider) and redirect 4b. If not, render the login page

POST login:

  1. Authboss authenticates based on posted credentials 2a. If valid, accept login (POST to OAuth2 provider) and redirect 2b. If invalid, return to login page

Any guidance on how to integrate this extra behaviour, or any suggestions on an alternative way to achieve what I'm trying to do would be greatly appreciated.

fenech avatar Aug 07 '19 16:08 fenech

Hi @fenech. Authboss has only ever been imagined as the the "client" in an OAuth2 flow. It's never been meant to be the server or the single-sign on source of truth. I think you'd probably have to create a whole new module for that purpose.

aarondl avatar Aug 20 '19 03:08 aarondl

In the end I made this project, which wraps some middleware around the auth module to make the extra calls.

https://github.com/nbycomp/login-consent

fenech avatar Aug 22 '19 14:08 fenech

Started https://github.com/Ashtonian/hConsenter - a min typed hydra client for the flow, and a separate module based on the login-consent app https://github.com/Ashtonian/authboss-hydra-consent/blob/master/auth.go#L43. Its still pretty rough but its starting to take shape.

ashtonian avatar Nov 23 '19 07:11 ashtonian

submitted initial https://github.com/volatiletech/authboss/pull/258

ashtonian avatar Nov 30 '19 07:11 ashtonian